Our site uses cookies to improve your experience of certain areas of the site and to allow the use of specific functionality like social media page sharing. You may delete and block all cookies from this site, but as a result parts of the site may not work as intended. By clicking any link on this page you are giving your consent.

$3.2 million is the average cost of a data breach claim

03 November 2017

The average cost of a data breach insurance claim for a large company was USD 3.2 million between 2014 and 2017, according to the latest Cyber Claims Study from NetDiligence.

For all companies the cost totalled USD 394,000, rising to USD 588,000 in the financial services sector and USD 537,000 in the healthcare sector. The largest breach cost was USD 16 million and the largest regulatory claim was upwards of USD 6 million. The study also found that breach costs were 20% higher when there was cloud involvement.

By comparison, the Cost of Data Breach Study from IBM and Ponemon found that the average cost of a data breach (whether insured or not) in the US was USD 7.35 million, up 5% on the prior year’s study. The average cost of a data breach in the US rose for the fourth consecutive year, hitting USD 225 per compromised record, the highest since the study began in 2006.

At USD 3.62 million, the global average cost of a data breach was almost half that of the US, where regulatory requirements tend to be tougher. This was 10% lower than in the previous year, although half of this reduction was due to currency fluctuations, according to the IBM study.

Despite the decline in the overall cost, companies are experiencing larger breaches, according to IBM and Ponemon. The average size of the data breaches increased 1.8% to more than 24,000 records.

Mid-market Targeted

NetDiligence’s analysis shows that mid-market companies are becoming an increased target for cyber criminals. Companies with revenues of less than USD 50 million were the most impacted, accounting for almost half of the 2,411 data breach insurance claims analysed between 2014 and 2017. Organisations with less than USD 2 billion in revenues accounted for 88% of the claims.

However, despite only accounting for 12% of the claims, larger organisations accounted for 76% of records exposed. Unsurprisingly, breach costs for larger organisations were substantially higher than costs for smaller organisations. The average cost for an organisation with revenues in excess of USD 2 billion was more than 15 times greater than the average cost for a smaller organisation.

Rising Costs

Overall, notification costs were 39% higher than in the previous study, while the maximum notification costs increased 176% to USD 5.52 million. Forensic costs increased 57%, ranging from USD 265 to USD 3.86 million, while public relations costs increased dramatically with an average of USD 81,000 compared to USD 54,000 last year.

According to NetDiligence, breaches involving intellectual property or trademark infringement had the highest average breach cost (USD 865,000), followed closely by payment card industry-related breaches (USD 844,000). The study showed an increase in breaches involving the theft of trade secrets or intellectual property, however, data breaches exposing personal identifiable information remained the largest cause of breach, representing 36% of cyber insurance claims.

Professional services firms experienced the largest number of claims in 2016, closely followed by healthcare. Financial services and retail occupied the third and fourth positions. However, when looking at the number of records exposed, the retail, healthcare and financial services sectors combined accounted for 99% of all records lost.

Social Engineering

According to cyber insurer Beazley, professional services firms are the most targeted sector for cyber attacks using social engineering. According to Beazley’s analysis, social engineering has emerged as a worrying trend, accounting for 18% of all breaches reported to Beazley by professional firms.

Beazley’s third quarter 2017 Breach Insights report also revealed a rapid growth of social engineering attacks as a cause of data breaches reported to the insurer by its clients. The percentage of data breaches involving social engineering increased from 1% in the first nine months of 2016 to 9% of the incidents reported to Beazley in the same period of 2017.

Read our Cyber Risks & Insurance Insights

Receive our monthly cyber risk newsletter

Jardine Lloyd Thompson Group plc

Jardine Lloyd Thompson Group plc, incorporated and registered in England and Wales. Registered Office at The St Botolph Building, 138 Houndsditch, London, EC3A 7AW. Registered number 1679424. Jardine Lloyd Thompson Group plc is a holding company, some of whose subsidiaries are authorised and regulated by the Financial Conduct Authority.